[liberationtech] Google confirms critical Android crypto flaw
Maxim Kammerer
mk at dee.su
Thu Aug 15 05:38:56 PDT 2013
On Thu, Aug 15, 2013 at 2:34 PM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> The best description is here:
> http://armoredbarista.blogspot.ch/2013/03/randomly-failed-weaknesses-in-java.html
Unbelievable… It seems that PRNG implementers suffer from NIH
syndrome. If you are going to use /dev/urandom, then use it all the
time, and rely on code that's reviewed and maintained by thousands of
kernel people, not just your favorite buggy seeded PRNG du-jour. And
even sans the bugs, consider something like the following in Apache
Harmony (precursor of Dalvik's class library) [1, p. 131]:
iv = sha1(iv,concat(state, cnt));
cnt = cnt + 1;
return iv;
So they're essentially constructing a state-based bit stream that
varies in each block, and hash it with SHA-1 — exposing each
intermediate hash value in the middle. Who the hell told them it's
safe from cryptanalysis POV? E.g., SP800-90A's Hash_DRBG [2, p. 40]
resembles nothing of the sort.
[1] http://dx.doi.org/10.1007/978-3-642-36095-4_9
[2] http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
More information about the liberationtech
mailing list